🔒 SSL Certificate Checker

Inspect any HTTPS site's TLS certificate — issuer, subject, SANs, validity, key size, signature algorithm, protocol version, cipher, and full chain — with warnings for expiring soon, self-signed, weak algorithms, and hostname mismatches.

Try: google.com github.com cloudflare.com stripe.com expired.badssl.com (expired) self-signed.badssl.com
⚙️
Fetching certificate…
Copied

About the SSL Checker

The SSL Checker opens a TLS connection to any HTTPS host, captures the full certificate chain, and inspects every field — issuer, subject, SANs, validity dates, key type + size, signature algorithm, serial number, SHA-256 / SHA-1 fingerprints, and key usage extensions. It also captures the negotiated protocol version (TLS 1.2 / 1.3) and cipher suite.

The tool deliberately does not validate the peer, so it will still return data for expired, self-signed, or hostname-mismatched certificates — the point is to help you diagnose what's broken. Every issue is highlighted as a warning at the top.

What the check reports

🔒 Overview

Certificate CN, days until expiry (with color-coded urgency — green > 30 days, amber < 30, red < 7 or expired), TLS version, and cipher.

📋 Subject & issuer

Full DN strings for both. Modern browsers ignore the Common Name — the SAN list is what matters.

🌐 SANs (Subject Alternative Names)

The list of hostnames the certificate is valid for. Wildcards (*.example.com) match exactly one label. The tool checks whether the queried host is in the SAN list and warns if not.

🔑 Key & signature

Key type (RSA / EC), key size in bits, and signature algorithm. Warns for RSA under 2048 bits or SHA-1 / MD5 signatures.

📅 Validity

Not-before / not-after dates, days remaining, and expired/not-yet-valid flags.

🔗 Full chain

Every certificate the server sent — leaf, intermediates, and (if included) root. Each is shown with subject + issuer + validity.

TLS versions in 2026

  • TLS 1.3 — the current standard. Uses forward-secret key exchange only, dropped all legacy ciphers, faster handshake (1-RTT). If you're running a modern web server, default to this.
  • TLS 1.2 — still widely supported and secure when paired with modern ciphers. Fine for legacy client compatibility.
  • TLS 1.1 / 1.0 / SSL 3.0 / SSL 2.0 — deprecated. Modern browsers reject them. If a server still supports these, disable them.

Wildcards, SANs, and CN

Every modern browser ignores the certificate's Common Name (CN) and validates only against the Subject Alternative Names (SANs) list. A cert with SAN *.example.com covers www.example.com and api.example.com — but not example.com itself, and not foo.bar.example.com. For the apex domain you need both example.com and *.example.com in the SANs. The tool checks the queried host against the SAN list and warns on mismatch.

Privacy & SSRF guard

Rate-limited to 30 requests per minute per IP. Refuses to connect to private/internal IP ranges. 8-second connection timeout. Nothing is stored.

Frequently asked questions

TLS 1.3 is the current standard — forward-secret, faster handshake. TLS 1.2 is still fine with modern ciphers. TLS 1.0 / 1.1 are deprecated and browsers reject them.
Subject Alternative Name — the list of hostnames a certificate is valid for. Browsers ignore the Common Name and check only SANs. A cert with SAN example.com and *.example.com covers both apex and any single-label subdomain.
*.example.com matches exactly one label — so www.example.com ✓, api.example.com ✓, but foo.bar.example.com ✗ and example.com ✗. For those you need explicit SANs.
To help you diagnose. The tool intentionally doesn't verify the peer — you can inspect broken, self-signed, expired, or hostname-mismatched certificates. All problems are flagged as warnings at the top.
Yes — enter host:port (e.g., mail.example.com:587 for STARTTLS-wrapped SMTP or example.com:8443 for an alt HTTPS port).